diff options
Diffstat (limited to 'src/usr/secureboot')
-rw-r--r-- | src/usr/secureboot/base/settings.C | 9 | ||||
-rw-r--r-- | src/usr/secureboot/settings.H | 13 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 7 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 84 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.H | 9 |
5 files changed, 112 insertions, 10 deletions
diff --git a/src/usr/secureboot/base/settings.C b/src/usr/secureboot/base/settings.C index cda200b74..8caa6708c 100644 --- a/src/usr/secureboot/base/settings.C +++ b/src/usr/secureboot/base/settings.C @@ -5,7 +5,9 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* COPYRIGHT International Business Machines Corp. 2013,2014 */ +/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* [+] International Business Machines Corp. */ +/* */ /* */ /* Licensed under the Apache License, Version 2.0 (the "License"); */ /* you may not use this file except in compliance with the License. */ @@ -54,4 +56,9 @@ namespace SECUREBOOT { return 0 != (iv_regValue & SECURITY_SWITCH_TRUSTED_BOOT); } + + uint64_t Settings::getSecuritySwitch() + { + return iv_regValue; + } } diff --git a/src/usr/secureboot/settings.H b/src/usr/secureboot/settings.H index 116280c05..3da86e3cb 100644 --- a/src/usr/secureboot/settings.H +++ b/src/usr/secureboot/settings.H @@ -5,7 +5,9 @@ /* */ /* OpenPOWER HostBoot Project */ /* */ -/* COPYRIGHT International Business Machines Corp. 2013,2014 */ +/* Contributors Listed Below - COPYRIGHT 2013,2016 */ +/* [+] International Business Machines Corp. */ +/* */ /* */ /* Licensed under the Apache License, Version 2.0 (the "License"); */ /* you may not use this file except in compliance with the License. */ @@ -40,15 +42,18 @@ namespace SECUREBOOT /** @brief Determine if Secureboot is enabled. */ bool getEnabled(); + /** @brief Get security switch register value */ + uint64_t getSecuritySwitch(); + private: void _init(); - /** Cached register value. */ + /** Cached register value. */ uint64_t iv_regValue; - /** SCOM address for security settings. */ + /** SCOM address for security settings. */ static const uint64_t SECURITY_SWITCH_REGISTER; - /** Bitfield mask for Secureboot enable flag. */ + /** Bitfield mask for Secureboot enable flag. */ static const uint64_t SECURITY_SWITCH_TRUSTED_BOOT; }; } diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C index ea17bc39b..61e7a12a2 100644 --- a/src/usr/secureboot/trusted/base/trustedboot_base.C +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -90,10 +90,8 @@ errlHndl_t pcrExtend(TPM_Pcr i_pcr, TRACDCOMP( g_trac_trustedboot, ENTER_MRK"pcrExtend()" ); TRACUCOMP( g_trac_trustedboot, - ENTER_MRK"pcrExtend() pcr=%d msg='%s' digest=%016llX", - i_pcr, - i_logMsg, - *(reinterpret_cast<uint64_t*>(i_digest))); + ENTER_MRK"pcrExtend() pcr=%d msg='%s'", i_pcr, i_logMsg); + TRACFBIN(g_trac_trustedboot, "pcrExtend() digest:", i_digest, i_digestSize); // Ensure proper digest size uint8_t digestData[fullDigestSize]; @@ -109,6 +107,7 @@ errlHndl_t pcrExtend(TPM_Pcr i_pcr, (strlen(i_logMsg) < MAX_TPM_LOG_MSG ? strlen(i_logMsg) : MAX_TPM_LOG_MSG)); + for (size_t idx = 0; idx < MAX_SYSTEM_TPMS; idx++) { // Add the event to this TPM, if an error occurs the TPM will diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index 03d957b9e..a934b592c 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -41,12 +41,14 @@ #include <targeting/common/targetservice.H> #include <secureboot/trustedbootif.H> #include <secureboot/trustedboot_reasoncodes.H> +#include <sys/mmio.h> #include "trustedboot.H" #include "trustedTypes.H" #include "trustedbootCmds.H" #include "trustedbootUtils.H" #include "base/tpmLogMgr.H" #include "base/trustedboot_base.H" +#include "../settings.H" namespace TRUSTEDBOOT { @@ -149,7 +151,6 @@ void* host_update_master_tpm( void *io_pArgs ) break; } - // Lastly we will check on the backup TPM and see if it is enabled // in the attributes at least TPMDD::tpm_info_t tpmInfo; @@ -184,6 +185,11 @@ void* host_update_master_tpm( void *io_pArgs ) mutex_unlock(&(systemTpms.tpm[TPM_MASTER_INDEX].tpmMutex)); } + if (NULL == err) + { + // Log config entries to TPM - needs to be after mutex_unlock + err = tpmLogConfigEntries(systemTpms.tpm[TPM_MASTER_INDEX]); + } TRACDCOMP( g_trac_trustedboot, EXIT_MRK"host_update_master_tpm() - %s", @@ -322,4 +328,80 @@ void tpmReplayLog(TRUSTEDBOOT::TpmTarget & io_target) } } +errlHndl_t tpmLogConfigEntries(TRUSTEDBOOT::TpmTarget & io_target) +{ + TRACFCOMP(g_trac_trustedboot, ENTER_MRK"tpmLogConfigEntries()"); + + errlHndl_t l_err = NULL; + + do + { + // Create digest buffer and set to largest config entry size. + uint8_t l_digest[sizeof(uint64_t)]; + memset(l_digest, 0, sizeof(uint64_t)); + + // Security switches + uint64_t l_securitySwitchValue = Singleton<SECUREBOOT::Settings>:: + instance().getSecuritySwitch(); + TRACFCOMP(g_trac_trustedboot, "security switch value = 0x%X", + l_securitySwitchValue); + // Extend to TPM - PCR_1 + memcpy(l_digest, &l_securitySwitchValue, sizeof(l_securitySwitchValue)); + l_err = pcrExtend(PCR_1, l_digest, sizeof(l_securitySwitchValue), + "Security Switches"); + if (l_err) + { + break; + } + memset(l_digest, 0, sizeof(uint64_t)); + + // Chip type and EC + // Fill in the actual PVR of chip + // Layout of the PVR is (32-bit): (see cpuid.C for latest format) + // 2 nibbles reserved. + // 2 nibbles chip type. + // 1 nibble technology. + // 1 nibble major DD. + // 1 nibble reserved. + // 1 nibble minor D + uint32_t l_pvr = mmio_pvr_read() & 0xFFFFFFFF; + TRACDCOMP(g_trac_trustedboot, "PVR of chip = 0x%X", l_pvr); + // Extend to TPM - PCR_1 + memcpy(l_digest, &l_pvr, sizeof(l_pvr)); + l_err = pcrExtend(PCR_1, l_digest, sizeof(l_pvr),"PVR of Chip"); + if (l_err) + { + break; + } + memset(l_digest, 0, sizeof(uint64_t)); + + // Figure out which node we are running on + TARGETING::Target* l_masterProc = NULL; + TARGETING::targetService().masterProcChipTargetHandle(l_masterProc); + TARGETING::EntityPath l_entityPath = + l_masterProc->getAttr<TARGETING::ATTR_PHYS_PATH>(); + const TARGETING::EntityPath::PathElement l_pathElement = + l_entityPath.pathElementOfType(TARGETING::TYPE_NODE); + uint64_t l_nodeid = l_pathElement.instance; + // Extend to TPM - PCR_1,4,5,6 + memcpy(l_digest, &l_nodeid, sizeof(l_nodeid)); + const TPM_Pcr l_pcrs[] = {PCR_1,PCR_4,PCR_5,PCR_6}; + for (size_t i = 0; i < (sizeof(l_pcrs)/sizeof(TPM_Pcr)) ; ++i) + { + l_err = pcrExtend(l_pcrs[i], l_digest, sizeof(l_nodeid),"Node id"); + if (l_err) + { + break; + } + } + if (l_err) + { + break; + } + + } while(0); + + return l_err; +} + } // end TRUSTEDBOOT diff --git a/src/usr/secureboot/trusted/trustedboot.H b/src/usr/secureboot/trusted/trustedboot.H index 2569de487..866e253e5 100644 --- a/src/usr/secureboot/trusted/trustedboot.H +++ b/src/usr/secureboot/trusted/trustedboot.H @@ -87,6 +87,15 @@ errlHndl_t tpmVerifyFunctionalTpmExists(); */ void tpmReplayLog(TRUSTEDBOOT::TpmTarget & io_target); +/** + * @brief Send config entries to tpm + * + * @param[in/out] io_target Current TPM target structure + * + * @return errlHndl_t NULL if successful, otherwise a pointer to the + * error log. + */ +errlHndl_t tpmLogConfigEntries(TRUSTEDBOOT::TpmTarget & io_target); } // end TRUSTEDBOOT namespace #endif |